At Nocks we find security of our systems very important. Despite our great care for security, weak spots or vulnerabilities can still be found.
If you’ve found one of those vulnerabilities in our systems we would love to hear from you so we can take proper measures. We want to collaborate with you to protect our systems and our users even better.
Our production environment has automated hacker detection and will block visitors that match certain criteria or hit a threshold. Therefore we have created a separated environment where you can use our platform without interference of these protections.
This environment uses fake funds and is not connected to production in any way. To learn more about how we process fake funds, please check our documentation.
Please use the following URL for your research: https://hackme.nocks.com
We ask you:
* To send your findings to the following email address: firstname.lastname@example.org
* To not abuse the issue or further exploit the issue by downloading more data than necessary to indicate the breach or look into, delete or adjust data of any third parties and/or Nocks users.
* To not share the issue or bug with others until it is solved and all confidential data obtained through the breach have been deleted.
* To not use any form of attack on physical security, social engineering, distribute denial of service, spam or third party applications.
* To give out proper information to reproduce the issue so we can fix it as fast as possible. Usually the IP or the URL of the breached system and a description of the vulnerability is enough, but with more complex issues more data may be required.
What we promise:
* To reply within 3 business days on your disclosure with our assessment and an estimation on when we expect to have a solution ready.
* If you have complied to the above terms we won’t consider any legal measures for disclosing your findings.
* We treat your disclosure as confidential and do not share your personal details without your permission with any third parties unless we are compelled by law to do so. Disclosure under a pseudonym is possible.
* We will keep you informed during the process of solving the issue.
* For disclosing the found vulnerability we can, if you want, mention your name to accredit you for your assist and as a thank you for your assistance we offer generous bug bounties for disclosing bugs that we weren’t aware of yet. The size of bounties is determined based on the severity of the vulnerability and the quality of the disclosure with a minimum of €50.
We strive to solve any found issues as fast as possible and we are gladly kept in the loop of any publications about the issue after it’s fixed.